Tool-BarfreeBSD ArticlesSearch Our SiteHOMEfreeBSD LinksContribute to FreeBSD HelpFreeBSD FilesFreeBSD Script Corner

VPN working with 2 freebsd hosts that each have dynamic ips.

First setup 2 dynamic ip hostnames from somewhere like
get the clients for bsd and install them and make sure they are working

next add this ipsec policy to each host

spdadd 4 -P out ipsec esp/transport//require;
spdadd 4 -P in ipsec esp/transport//require;

This policy unlike most i have seen in the howtos encrypts the outside of the tunnel rather than the inside by specifying all gif tunnel traffic to be encrypted that is sent and recieved by this host. It also has the advantage of that it doesnt have to be updated every time a new private network is added to either of the sites vpn routers.

next cront this script to run every minute on each host


# 1 = host
# 2 = tun number
# 3 = local tunnel end
# 4 = remote tunnel end
# 5 = tunnel netmask

me="your host name"

function create_tun ( ) {

  echo -e "Cretating tunnel for $1"

  /sbin/ifconfig gif"$2" destroy

  /sbin/ifconfig gif"$2" create tunnel $6 $1

  /sbin/ifconfig gif"$2" $3 netmask $5 $4 netmask $5

  echo /sbin/ifconfig gif"$2" create tunnel $6 $1

  echo $1 > /tmp/.gif"$2"

  echo $6 > /tmp/.gifme


# 1 = remote hostname
# 2 = tun number
# 3 = my ip

 function check () {

 if ( ! ifconfig gif"$2" > /dev/null ); then

 return 0 

if [ -e /tmp/.gif$2 ] && [ -e /tmp/.gifme ]; then
 if ( cat /tmp/.gif"$2" | awk '{ if ( $1 ~ /[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/ ) print $1; else print "cre"}' |
     grep $1 > /dev/null ) &&
  ( head -1 /tmp/.gifme | awk '{ if ( $1 ~ /[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/ ) print $1; else print "cre"}' |
     grep $3 > /dev/null )
 echo -e "Gif $2 is ok"
 return 1
 echo ppp
 return 0
 return 0
 me=`host $me| awk '{print $4}'`
 cat /usr/local/etc/racoon/giftuns | while read hn tn lip rip nm
 h=`host $hn | awk '{print $4}'`
 check $h $tn $me && create_tun $h $tn $lip $rip $nm $me

This script basically sets up the tunnels, it can cope with many tunnels and gets its config
from a file called /usr/local/etc/racoon/giftuns

This is of the format


<remote_public_hostname> <local_tunnel_endpoint_ip> <remote_tunnel_endpoint_ip> netmask

e.g. 0

thats the tunnel sorted. They should now come up on each box. It may talke a few minutes to settle down depending on whether the dynu hosts addresses are upto date. I think dynu use a TTl of 90s on their hosts so thats the max it should take. At this point you wont be able to ping any tunnel endpoints as key exchange isnt working at present. To fix this install racoon
from ports. use the default config file but modify the the following items under remote anonymous to something@somethingelse, e.g.

    my_identifier user_fqdn

    peers_identifier user_fqdn

do this on both hosts

edit the psk.txt file and enter the line somekeyyouthinkof

again do this on both hosts

now restart racoon

if all is well you should be able to ping the tunnel endpoints now

finally we need to get the routing sorted out

install zebra from ports on all the routers

use the config files


hostname your hostname

password somthing

enable password somthingelse

log syslog


hostname your hostname

password somthing

enable password somthingelse

router bgp 65101

 bgp router-id your_host_ip


 neighbor remote-as 65102

access-list all permit any

ip prefix-list my-networks seq 5 permit

line vty

log syslog


all the routing should now work, and you vpn is up

I need to redo the bgpd config file as i think its incorrect at the moment but it will be sorted in the full writeup if you think its worth doing


hope this was of use, let me know if you want something more comprehnsive doing



 Chris Scott


0845 6684000

Chris Scott

0845 6684000

© 1997 - 20013 Defcon1, , Copyrights for all materials on this web site are held by the individual authors, artists, photographers or creators. Materials may not be reproduced or otherwise distributed without permission of and the content's original author.

Tool-Bar-2Defcon1  Webmail